BGP AS Path Prepending or BGP prepend is a common technique for incoming path manipulating. When we want to engineer the traffic coming from another BGP AS to our BGP AS, BGP AS prepending is one of the most common mechanisms. There are cases BGP AS Prepend doesn't work and shouldn't be used as well, and in this post, we will look at them too by using the below topology.
In the above topology, we have two BGP Autonomous Systems. AS 200 is Customer BGP AS, and AS 100 is Provider BGP AS. As a customer, AS 200 wants AS100 to send the traffic over the left path as a Primary path and the right path as a backup path as is depicted in the above topology.
1 is already announced and an additional 3 AS Prepend, over the backup path in the above topology, a total of 4 times AS number is sent. And the expectation is, upstream BGP AS, AS 100 would do the BGP best-path selection decision based on AS Path attribute and it chooses a shorter AS Path link over the longer AS Path link, thus Customer's expectation can be achieved and the left path can be used a primary and right path can be used as a backup.
You may want them to influence the BGP best-path selection based on AS-path thus you try to do AS path prepend, but they might be using BGP Local preference as their best path selection decision. In this case, BGP communities are used. With the BGP community, the idea is the same. The customer wants to influence the BGP best-path selection decision of the upstream provider and uses the BGP Community attribute instead of the BGP AS-path attribute.
Because with this attack, the attacker wants to influence the traffic by announcing your own BGP AS number, claiming they are the real owner of the BGP AS, but their AS-path length is shorter, and the networks that they see the attacker is closer, send the traffic to the attacker networks.BGP AS Path prepending just helps the attacker to be successful. Another reason why we shouldn't use excessive BGP Prepend is, that many AS on the Internet filter excessive AS Path length announcements.
Orhan Ergun, CCIE/CCDE Trainer, Author of Many Networking Books, Network Design Advisor, and Cisco Champion 2019/2020/2021
He created OrhanErgun.Net 10 years ago and has been serving the IT industry with his renowned and awarded training.
Wrote many books, mostly on Network Design, joined many IETF RFCs, gave Public talks at many Forums, and mentored thousands of his students.
Today, with his carefully selected instructors, OrhanErgun.Net is providing IT courses to tens of thousands of IT engineers.
Write a public review